Hannaford
said an "illicit and unauthorized computer program" was secretly
installed on servers at every one of its grocery stories in Maine, Vermont, New Hampshire, Massachusetts and New York.

A targeted malware attack described as "new
and sophisticated" is to be blamed for the data breach at Hannaford Bros. Co.
that exposed more than four million credit and debit card numbers to identity
thieves, the supermarket chain said in a letter to regulators in
Massachusetts.

In the letter, which was sent by Hannaford general counsel
Emily Dickinson, the company said an "illicit and unauthorized computer program"
was secretly installed on servers at every one of its 300-plus grocery stories
in Maine, Vermont, New Hampshire, Massachusetts and New York.

According
to the Boston Globe, which first reported on Hannaford's explanations to
Massachusetts Attorney General Martha Coakley and Governor Deval Patrick's
Office of Consumer Affairs and Business Regulation, the malicious Trojan was programmed to hijack
what is described as "Track 2" data from the magnetic stripe of credit and debit
cards being swiped at Hannaford's checkout counters.